500 Error when using custom account for application pool in IIS 7

11

I have a very simple site with only static files in IIS 7 on Windows Server 2008 SP2.

When I try to access any static file I get a 500 error. If I rename an html file to have an aspx extension it works fine.

The site also works fine when using the built in identity for the application pool. The problem occurs when I switch to using a custom account for the application pool. I have tried using both local and domain accounts to run the application pool under.

I have given full control to these accounts on the website directory and files.

Turning on tracing reveals this error message:
ModuleName: IIS Web Core
Notification: 2
HttpStatus: 500
HttpReason: Internal Server Error
HttpSubStatus: 0
ErrorCode: 2147943746
ConfigExceptionInfo
Notification: AUTHENTICATE_REQUEST
ErrorCode: Either a required impersonation level was not provided, or the provided impersonation level is invalid. (0x80070542)

I have not had any luck with googling the error code.

iis-7
application-pools
asked on Server Fault Aug 5, 2009 by Brownie

5 Answers

9

Prolem Solved: The IIS_IUSRS group was missing from the "impersonate a client after authentication" in the local security policy.

answered on Server Fault Aug 5, 2009 by Brownie
1

you can try to change application pool for this virtual application and give for this new pool personal permissions

to give permissions for specific pool just give permissions for user "IIS APPPOOL\YOUR_POOL_NAME"

answered on Server Fault Jan 10, 2011 by MNK_real
0

In addition to Brownie's answer (it is correct, you have to give this right to the app pool account); if IIS sends you this error when you call it using a WCF client (+ Windows-authentication is enabled in IIS), it may be because the flags of the NTLM token given to IIS does not allow it to impersonate the caller.

Modify the config of your client from this (the default):

<behavior name="NewBehavior">
  <clientCredentials>
    <windows allowedImpersonationLevel="Identification" />
  </clientCredentials>
</behavior>

To this:

<behavior name="NewBehavior">
  <clientCredentials>
    <windows allowedImpersonationLevel="Impersonation" />
  </clientCredentials>
</behavior>

Check this article for details: Impersonation and Delegation in WCF

answered on Server Fault Mar 13, 2015 by Matthieu
0

In my environment, due to group policy settings, I wasn't allowed to change "impersonate a client after authentication" setting nor to add the app pool user local admins so I went looking for why the impersonation was happening at all. By default anonymous authentication was set to use the IUSR user so the app pool user was using trying to impersonate it.

I've changed Anonymous user identity to "Application pool identity" so there's no need for impersonation. Anonymous authentication as application pool identity

answered on Server Fault Dec 7, 2020 by Petar Weigand
0

Windows Server 2016, IIS 10.

This problem can be solved when I give the custom account administrator rights. But I am afraid that the global administrator will remove the administrator rights of this account. So I have to find other solutions.

I can't add "impersonate a client after authentication". image description

I also try Petar Weigand's method, But it didn't work for me.

After a lot of attempts, I find add the Custom account to "Connect As" Can solve the problem. image description

answered on Server Fault May 13, 2021 by 碧色苍穹 • edited May 13, 2021 by 碧色苍穹

User contributions licensed under CC BY-SA 3.0